Traffic Steering & Service Chaining Optimize & Monetize with PEM Bart Salaets Solution Architect
Agenda F5 Gi LAN Strategy Traffic Steering & Service Chaining Recent Evolutions Policy-Based Per-Flow and Per-Transation Steering Static & Dynamic Service Chaining : Evolution to IETF model Policy Enforcement Manager Traffic Classification Policy Actions Evolution towards NFV Summary F5 Agility 2014 2
F5 Gi LAN Strategy
F5 in the S/Gi network A Consolidated Approach Simplifying the delivery of network services BEFORE F5 Static port 80 steering VAS layer PGW/ GGSN RTR LDNS Policy Enforcement URL Filtering CGNAT Firewall Internet WITH F5 Dynamic intelligent steering VAS layer VIPRION PGW/ GGSN Internet F5 Agility 2014 4
Traffic Steering & Service Chaining
Traditional Steering to VAS & Optimization platforms A router steers all port 80 traffic to VAS platforms STATIC STEERING GGSN PGW RTR DPI Firewall/CGNAT Internet Data Center All port 80 traffic service chained through all VAS platforms Video Optimization Transparent Caching Parental Controls WAP Gateway F5 Agility 2014 6
Challenges with the traditional approach All VAS platforms need to classify and process all port 80 traffic Waste of resources for pass-through traffic Duplication of resources Time-to-market challenge for new services Network integration PCC integration Video optimization and transparent caching requires a fresh look Cost benefit or QoE mgmt tool Rise of ABR video (HLS, MPEG-DASH) Increase in SSL / SPDY F5 Agility 2014 7
Challenges with the traditional approach Doing more of the same is economically no longer viable F5 Agility 2014 8
Solution : Intelligent traffic steering to VAS platforms Offloading VAS services & Optimizing infrastructure utilization INTELLIGENT STEERING Diameter Gx PCRF PGW/ GGSN RTR VIPRION Internet CONTEXT SUBSCRIBER DEVICE-TYPE RAT-TYPE CONTENT (VIDEO, URI,... ) CONGESTION Video Optimization Transparent Caching Data Center Context-aware & policy-driven steering & intelligent service chaining Parental Controls WAP Gateway F5 Agility 2014 9
Policy-Based per-flow Steering Use cases Steering policy for each flow dependent on... Subscriber policy RAT-Type (2G / 3G / LTE / Wifi) Location (roaming) Network congestion Device-type (IMEI, HTTP User-Agent) Content-Type (HTTP Content-Type, DPI signature)... or any combination of the above Control Plane interactions Diameter Gx (from PCRF) Radius (from GGSN) Custom API (eg for congestion based steering) F5 Agility 2014 10
Policy-based Flow Steering in Action Steering to 2 VAS services : Subscriber + RAT-type based User Service Policy John Video Optimization LTE bypass Parental Control No Service Provider VAS Control Plane Paul Video Optimization Always Parental Control Yes Video Optimization Parental Control PCRF AAA Emma Radius (RAT-type updates) Radius Diameter Gx Other API John GGSN PGW Paul Internet Subscriber
Policy-based Flow Steering in Action User John : http traffic in LTE User Service Policy John Video Optimization LTE bypass Parental Control No Service Provider VAS Control Plane Paul Video Optimization Always Parental Control Yes Video Optimization Parental Control PCRF AAA Emma John http (LTE) GGSN PGW Radius Radius Diameter Gx Other API Paul Internet Subscriber
Policy-based Flow Steering in Action User John : http traffic in 3G User Service Policy John Video Optimization LTE bypass Parental Control No Service Provider VAS Control Plane Paul Video Optimization Always Parental Control Yes Video Optimization Parental Control PCRF AAA Emma John http (3G) GGSN PGW Radius Radius Diameter Gx Other API Paul Internet Subscriber
Policy-based Flow Steering in Action User Paul : http traffic in 3G or LTE User Service Policy John Video Optimization LTE bypass Parental Control No Service Provider VAS Control Plane Paul Video Optimization Always Parental Control Yes Video Optimization Parental Control PCRF AAA Emma John GGSN PGW Radius Radius Diameter Gx Other API Paul http Internet Subscriber
Policy-Based Flow Steering & Service Chaining Summary POLICY-BASED STEERING + LOAD BALANCING RADIUS (RAT-TYPE updates for subscriber in interim accounting) DIAMETER Gx (subscriber policy indicates parental control) PCRF PGW/ GGSN RTR Intelligent Steering Platform DPI Firewall CGNAT Internet CONTEXT SUBSCRIBER POLICY DETERMINES STEERING TO PARENTAL CONTROL Steering leg controlled by Radius (RAT-Type) Data Center Steering leg controlled by PCRF (subscriber policy) RAT-TYPE DETERMINES STEERING TO VIDEO OPT. Video Optimization Transparent Caching Parental Control WAP Gateway F5 Agility 2014 15
Policy-based per-transaction Steering Video Optimization A changing use case Increasing desire to offload any HTTP traffic that is not carrying video Increasing desire to offload ABR video traffic Possibly further refined with per-subscriber (for QoE differentiation) and RATtype based (for LTE offload) steering policies The Technical Challenge Accurate video detection requires checking both the HTTP request and the response headers If the detection happens at the response level, how can we steer video to video optimizers after-the-facts (connection to video server is already established)? The Technical Solution Requires HTTP request-based & response-based (per-transaction) steering F5 Agility 2014 16
HTTP Messages Differ from IP Packets & TCP Flows Packet Header HTTP Header Split Across packets TCP/IP Packet HTTP Message Header HTTP Message Body GET / HTTP/1.1\r\n Host: www.myhost.com\r\n Transfer-Encoding: chunked\r\n Cookie: userid= username, userdata=abdefa1839290 \r\n User-Agent: Mozilla \r\n \r\n Multiple Messages in one packet <body data> 0\r\n Body Terminator for chunked mode HTTP message can span multiple packets Packets may have multiple HTTP messages Delimiting HTTP messages may require inspection of every byte Message steering in some cases may cause TCP stream to be split may lead to chaos in client to end point communication
Steering on HTTP Request Establish TCP connection with client (full handshake) For each HTTP request message within that TCP connection from client Parse the HTTP request headers If steering policy is dependent on value(s) of one or more of the HTTP headers, then determine the nexthop (VAS endpoint) for this HTTP message according to this steering policy Establish new TCP connection with the VAS selected in the steering policy and forward the HTTP message between client and selected VAS In case of service chaining (multiple VAS endpoints) there will be several TCP connections being set up over which the HTTP message will be forwarded F5 Agility 2014 18
Steering on HTTP Response Establish TCP connection with client (full handshake) Establish another TCP connection with the server (full handshake) Forward HTTP message from client to server over the full proxy For each HTTP response message within that TCP connection from server Parse the HTTP response headers If steering policy is dependent on value(s) of one or more of the HTTP headers, then determine the nexthop (VAS endpoint) for this HTTP message according to this steering policy But how do we steer to the VAS? The connection with the server is already established... F5 Agility 2014 19
Steering on Response Sequence of events RAN PGW/ GGSN RTR Intelligent Steering Platform INTERNET HTTP Request Forward HTTP Request Mobile Client Response to Client with 302 redirect to same URI extended with classification info HTTP Response (original video) 123.com POLICY EXECUTION IF CONTENT-TYPE STARTS WITH VIDEO/ CONTENT-LENGHT > 1024KB THEN REDIRECT TO VIDEO OPTIMIZATION Video Optimization F5 Agility 2014 20
Steering on Response After the HTTP redirect RAN PGW/ GGSN RTR New HTTP request with classification info embedded in the URI Intelligent Steering Platform INTERNET Mobile Client HTTP Response (optimized video) POLICY EXECUTION IF URI CONTAINS VIDEO CLASSIFICATION INFO THEN STEER TO VIDEO OPTIMIZATION & DELETE CLASSIFICATION INFO FROM URI Steer HTTP Request to Video Optimizers Video Optimization HTTP Response (optimized video) 123.com New HTTP connection (original video) F5 Agility 2014 21
Steering on Response ICAP variant with Skyfire RAN PGW/ GGSN RTR Intelligent Steering Platform INTERNET Rocket Optimizer HTTP Request from client Forward HTTP Request Mobile Client Response to Client with 302 redirect to Skyfire Rocket optimizer (orginal URI embedded) ICAP Request (preview) HTTP Response 123.com ICAP Response (302 redirect to Rocket Optimizer) Analyze ICAP preview Do we optimize? Yes! Rocket Controller SKYFIRE PRE-FILTER LOGIC IF CONTENT-TYPE STARTS WITH VIDEO/ CONTENT-LENGTH > 1024KB THEN ICAP REQUEST TO ROCKET CONTROLLER F5 Agility 2014 22
Steering on Response After the HTTP redirect RAN PGW/ GGSN RTR http://cloud.skyfire.com/[url]?[cookie] Intelligent Steering Platform Forward HTTP request HTTP response (optimized video) INTERNET Rocket Optimizer HTTP request (original URL+cookie) Mobile Client Forward HTTP response (optimized video) HTTP response (original video) ICAP Response (204 : No content) ICAP Request (preview) 123.com Analyze ICAP preview This is optimized flow Rocket Controller SKYFIRE PRE-FILTER LOGIC IF CONTENT-TYPE STARTS WITH VIDEO/ CONTENT-LENGTH > 1024KB THEN ICAP REQUEST TO ROCKET CONTROLLER F5 Agility 2014 23
IETF Service Chaining Working Group IP networks rely more and more on the combination of advanced functions Besides basic routing and forwarding functions (optimization, proxy, DPI, FW) The goal is to enforce service-inferred forwarding for traffic traversing a given domain Differentiated by the set of Service Functions to be invoked Service-inferred forwarding is policy-based. Policies may be: Subscriber-aware Based on flow characteristics TE-oriented (e.g., optimize network resource usage) Combination thereof Several Service Function Chaining (SFC) IETF drafts available F5 Agility 2014 24
IETF Service Function Chaining SFC ingress : Policy classification will determine service chain SFC-ID pointing to a sequence of service functions (SFs) All Service Functions may be policy controlled via a control plane Meta-data can be added to the packets (to convey the SFC-ID to the SFs) Packet forwarding between SFs can be plain IP, SDN, overlay networks,... SFC-ID=1 LOAD BALANCER (SF1) WEB PROXY (SF2) FIREWALL (SF3) NAT44 (SF4) SFC-ID=2 DPI (SF5) HEADER ENRICHM. (SF6) FIREWALL (SF3) F5 Agility 2014 25
Static & Dynamic Service Chaining Today with F5 INTELLIGENT SERVICE CHAINING PCRF PGW/ GGSN RTR Intelligent Steering Platform DPI Firewall CGNAT Internet VAS Video Optimization STATIC SERVICE CHAINING Transparent Caching Parental Control WAP Gateway DYNAMIC SERVICE CHAINING INTELLIGENT STEERING POLICY DEFINES A FIXED SERVICE FUNCTION CHAIN (E.G. VAS1-VAS4) INTELLIGENT STEERING POLICY HAS BUILT-IN CONDITIONAL CHECKS PER VAS LEG TO DETERMINE NEXT-HOP IN THE SERVICE CHAIN F5 Agility 2014 26
Intelligent Service Chaining Today and Future SFC Ingress Classification PHYSICAL TRAFFIC STEERING + L4-L7 SFC Forwarding SFC Ingress Classification VIRTUAL (NFV) TRAFFIC STEERING SFC Forwarding PHYSICAL OR VIRTUAL (NFV) VAS 1 VAS 2 VAS 3 VAS 4 VAS 5 VIRTUAL (NFV) VAS 1 VAS 2 VAS 3 L4-L7 VAS 4 VAS 5 L4-L7 Available today F5 TCP & HTTP proxy Flexible use of "steering headers" towards VAS platforms (HTTP headers, DSCP,... ) Forwarding based on connection entries VAS health check built in (load balancing) Control plane steering possible (eg ICAP) IETF drafts Requires all vendors to agree on same standard (packet header for metadata) How to leverage SDN for forwarding? How to do VAS health-checks? How to do control plane steering? F5 Agility 2014 27
Policy Enforcement Manager (PEM)
Policy Enforcement Manager Policy Definition Policy Name Bronze Policy Name Silver Policy Rule Name 1 Gold Rule 1 Rule 1 Rule 2 Rule 2 Rule 2 Rule 3 Rule 3 Rule 3 PREC 10 CLASSIFIER RULE_10 POLICY ACTION RULE_10 PREC 10 CLASSIFIER RULE_10 POLICY ACTION RULE_10 CLASSIFIER PREC 20 RULE_1 CLASSIFIER RULE_20 POLICY ACTION POLICY RULE_1 ACTION RULE_20 PREC 20 CLASSIFIER RULE_20 POLICY ACTION RULE_20 CLASSIFIER PREC 30 RULE_2 CLASSIFIER RULE_20 POLICY ACTION POLICY RULE_2 ACTION RULE_30 PREC 30 CLASSIFIER RULE_20 POLICY ACTION RULE_30 CLASSIFIER RULE_3 POLICY ACTION RULE_3 POLICY TYPE SUBSCRIBER TYPE POLICY ASSIGNMENT ANALYTICS & CHARGING Global Policy Static subscriber Diameter Gx Syslog Unknown Subscriber Policy Subscriber Policy Dynamic subscriber Radius DHCP Unknown IP SA Predefined Dynamic (gate, QoS) Radius Custom IPFIX Radius Gy Gx Usage Monitoring F5 Agility 2014 29
Classification & Policy Actions APPLICATION CLASSIF. URL CLASSIF. FLOW CLASSIF. CUSTOM CLASSIF. Application Category (eg. P2P) Application (eg. bittorrent) Some applications are using F5 signatures, other applications rely on third party DPI signature engine URL Category (eg. Gambling) URL database from third party Ability to create custom DB Used for HTTP and HTTPS (SNI check) DSCP Protocol (TCP/UDP) IP source address range & port IP destination address range & port Incoming VLAN irule / TCL script Examples Other fields in the traffic flow (ip header, http header,... ) Other fields stored in the PEM sessiondb for that subscriber (RAT-type, roaming, tower-id) REPORTING HTTP REDIRECT HTTP HDR ENR. QOS MARKING QUOTA MGMT STEERING (NH) STEERING (ICAP) BW CONTROL POLICY ACTIONS SERVICE CHAIN GATE (FWD) CUSTOM / TCL F5 Agility 2014 30
PEM Wide range of use cases Per-subscriber Application & URL Bandwidth Control & Filtering TCP-friendly rate limiter Separate up/down rates Highly scalable solution TCP Optimization as a bonus Subscriber Application Analytics Subscriber ID / Rate Plan Charging rules Application Usage Reporting Intelligent Traffic Steering & Service Chaining to VAS Steer traffic based on subscriber profile to Value Added Services & Optimization Services Intelligent Service Chaining Online Charging (Gy) Flexible rating group definitions based on applications and/or URI Redirect or block upon quota expiration URL Filtering & Parental Control Government lists Per-subscriber parental control opt-in/opt-out service For HTTP & HTTPS OTT Identification & Monetization Per-subscriber OTT application detection Per-OTT bandwidth, marking and charging rules Header Enrichment & WAP offload HTTP HE for content-based charging WAP GW bypass/offload and replacement Content Injection / Toolbars Java-script based content injection Targeted advertisements Lightweight BRAS/BNG DHCP-based BNG model for wifi and wireline deployments Radius AAA client F5 Agility 2014 31
Evolution towards NFV
Step 1 : Consolidate SGi Functions & Virtualize VAS Layer ADC DNS Policy Enforcement TCP Optimization CGNAT Firewall PGW/ GGSN RTR VIPRION Internet VM Management and Orchestration Virtualize the VAS layer Integrate both physical VIPRION and VNFs running VAS/optimization services into Orchestration tool Gi VAS VM VM VM Hypervisor VNF Video Optimization Allow for dynamic VAS bursting Transparent Caching URL Filtering Parental Controls NFV Infrastructure F5 Agility 2014 33
Step 2 : Virtualize SGi + VAS layer (NFV) ADC DNS Policy Enforcement TCP Optimization CGNAT Firewall VM VM VM Hypervisor PGW/ GGSN RTR NFV Infrastructure Internet Virtualize the Gi & VAS layer Both Gi inline functions and VAS/optimization functions are fully virtualized (deployed as VNF) VM VM VM Hypervisor Gi VAS VM VM VM VM VM VM Hypervisor Hypervisor VM VM VM Hypervisor VM Management and Orchestration VNF VNF VNF PEM+CGN+AFM Video Optimization Transparent Caching Several deployment models NFV Infrastructure VNF Parental Controls F5 Agility 2014 34
Virtualizing SGi functions VNF mapping alternatives TRAFFIC STEERING + L4-L7 TRAFFIC STEERING VIDEO OPT TRANSP CACHE URL FILTER VIDEO OPT TRANSP CACHE Maintain the L4-L7 consolidation model as deployed in the physical world in the NFV world So you run PEM, CGN and AFM on the same VE (or on separate VEs but all inline in the data path) Only maintain PEM inline in the data path for intelligent traffic steering Treat functions such as CGNAT and security/firewall functions as VAS services (which are only used for selected flows) F5 Agility 2014 35
Summary
Summary Traffic Steering & Service Chaining Market is demanding advanced steering capabilities for VAS offload F5 PEM platform supports context-aware intelligent steering and service chaining Market is demanding an evolution path towards IETF-based service chaining F5 PEM platform provides a stepwise approach Market is demanding a solution that supports a wide variety of use cases F5 PEM platform supports a wide range of classification criteria coupled with strong policy action mechanisms Market is demanding a solution that can migrate from physical to virtual F5 PEM platform provides such a migration path, offering multiple alternative deployment options for NFV F5 Agility 2014 37